Date: Tue, 28 Nov 2000 10:17:04 +1100 From: Shaun Clowes <shaun@SECUREREALITY.COM.AU> Subject: Re: Security problems with TWIG webmail system To: BUGTRAQ@SECURITYFOCUS.COM > Twig is a popular webmail system written in PHP, once called Muppet. > Author: Christopher Heschong > Homepage: http://twig.screwdriver.net > Version: 2.5.1 ( latest ) > Problem: The possibility of processing our own php file , can leed to > arbitrary command execution on the server as the httpd user. I'll refrain from the usual comments about disclosure of vulnerability information without fix details. As a short term fix try the following: Simply add: unset($config); unset($vhosts); at the top of config/config.inc.php3 Also add: unset($dbconfig); at the top of config/dbconfig.inc.php3 for good measure. Please note that this vulnerability is only exploitable if the URL fopen wrappers functionality is compiled in (it is by default) and the script isn't being run on the windows platform (Windows does not support Remote Files functionality in include() statements). Cheers, Shaun Clowes SecureReality Pty Ltd. http://www.securereality.com.au